WSA Events
-
Hi. I got the following situation,
void FunctionA(some params)
{
// do something
SOCKET sock = create new socket();
WSAEVENT hEvent = new event();
wsaeventselect(sock, event, some flags);
FunctionB(sock);
delete event();
}void FunctionB(sock)
{
// here do something else with a socket
}The thing is, i dont have access to
FunctionA()but it callsFunctionB()
, where i am the master and can do anything. In function B i am receiving a socket which has an event associated with it but nothing else. I got no handle to an event - nothing, just a socket. Is there any way to get this event handle having only socket descriptor? If there is no such API, windows system should store these events somewhere, right? Is there any way to dig into this place and grab events from there? Thanks
011011010110000101100011011010000110100101101110 0110010101110011
-
Hi. I got the following situation,
void FunctionA(some params)
{
// do something
SOCKET sock = create new socket();
WSAEVENT hEvent = new event();
wsaeventselect(sock, event, some flags);
FunctionB(sock);
delete event();
}void FunctionB(sock)
{
// here do something else with a socket
}The thing is, i dont have access to
FunctionA()but it callsFunctionB()
, where i am the master and can do anything. In function B i am receiving a socket which has an event associated with it but nothing else. I got no handle to an event - nothing, just a socket. Is there any way to get this event handle having only socket descriptor? If there is no such API, windows system should store these events somewhere, right? Is there any way to dig into this place and grab events from there? Thanks
011011010110000101100011011010000110100101101110 0110010101110011
I don't know anything at all about WSA sockets, save for the few crumbs I just picked up reading the winsock function reference at msdn. However, I can see nothing to indicate this to be the case - nor can I think of a reason why this would necessarily be included - i.e if it's a socket you've created, then surely it is also you thas already attached said event to it - in which case you'd already have it's handle.. At least that's the way I guess it. With that in mind, and the preparedness to go poking about in windows' memory space, I'd suggest that there is likely to be a far simpler way - unless of course FunctionA is in the kernel. When FunctionB ends, it has to be able to return control to FunctionA, right? With this address available, you can look at the (machine) code for FunctionA, so with a little fancy footwork you can easily get the location in memory of the variable that is used to store the newly created event, and snatch the handle from there.. You know how I'd go about it? I'd write a dummy FunctionB, and put a statement something like
printf("here is my marker");
I'd then fire-up the program in OllyDbg, and search for refferences to "here is my marker". When I'd found the place that the memory containing this string was referenced, I'd know that I'd found my FunctionB. From there I would simply place a break-point inside my function, start the program running and wait for it to hit the break-point. Single-stepping would then allow me to return to FunctionA, where I could grab the required handle from the memory it was originally stored into. Might take 30 mins to come up with working code for a real FunctionB to grab the event handle, so long as there's no bumps along the way like protected memory. I forget how to go about reading a process's memory but I've got code some where to do it. You sure have got me curious about your project.. :thumbsup:
-
I don't know anything at all about WSA sockets, save for the few crumbs I just picked up reading the winsock function reference at msdn. However, I can see nothing to indicate this to be the case - nor can I think of a reason why this would necessarily be included - i.e if it's a socket you've created, then surely it is also you thas already attached said event to it - in which case you'd already have it's handle.. At least that's the way I guess it. With that in mind, and the preparedness to go poking about in windows' memory space, I'd suggest that there is likely to be a far simpler way - unless of course FunctionA is in the kernel. When FunctionB ends, it has to be able to return control to FunctionA, right? With this address available, you can look at the (machine) code for FunctionA, so with a little fancy footwork you can easily get the location in memory of the variable that is used to store the newly created event, and snatch the handle from there.. You know how I'd go about it? I'd write a dummy FunctionB, and put a statement something like
printf("here is my marker");
I'd then fire-up the program in OllyDbg, and search for refferences to "here is my marker". When I'd found the place that the memory containing this string was referenced, I'd know that I'd found my FunctionB. From there I would simply place a break-point inside my function, start the program running and wait for it to hit the break-point. Single-stepping would then allow me to return to FunctionA, where I could grab the required handle from the memory it was originally stored into. Might take 30 mins to come up with working code for a real FunctionB to grab the event handle, so long as there's no bumps along the way like protected memory. I forget how to go about reading a process's memory but I've got code some where to do it. You sure have got me curious about your project.. :thumbsup:
The thing is, socket is not created by me. Well, i was able to grab a list of events using ntquerysysteminformation and ntqueryobject but there seems to be no way to find out if a current event was selected by WSAEventSelect for a specified socket. enhzflep, this rather must be "out-of-the-box-working-template-automated-appliable-to-everything" code :P Seems like the easiest way would be to just insert inline hook, but more hooks - less stable the app become =/
011011010110000101100011011010000110100101101110 0110010101110011
-
Hi. I got the following situation,
void FunctionA(some params)
{
// do something
SOCKET sock = create new socket();
WSAEVENT hEvent = new event();
wsaeventselect(sock, event, some flags);
FunctionB(sock);
delete event();
}void FunctionB(sock)
{
// here do something else with a socket
}The thing is, i dont have access to
FunctionA()but it callsFunctionB()
, where i am the master and can do anything. In function B i am receiving a socket which has an event associated with it but nothing else. I got no handle to an event - nothing, just a socket. Is there any way to get this event handle having only socket descriptor? If there is no such API, windows system should store these events somewhere, right? Is there any way to dig into this place and grab events from there? Thanks
011011010110000101100011011010000110100101101110 0110010101110011
Even if you could get the event handle, what would you do with it? I assume you also don't have control over how the event is being used so you won't have any synchronization with whatever thread(s) are already using the event...
Mark Salsbery Microsoft MVP - Visual C++ :java:
-
Even if you could get the event handle, what would you do with it? I assume you also don't have control over how the event is being used so you won't have any synchronization with whatever thread(s) are already using the event...
Mark Salsbery Microsoft MVP - Visual C++ :java:
There are lots of things i can do with event, Mark. I can wait on it, so i dont have to deselect old event and select new one, so the original thread have a control over this original event. I can block signaling this event and signal it when i am done with my job, so original thread will be notified when it is appropriate.
011011010110000101100011011010000110100101101110 0110010101110011
-
There are lots of things i can do with event, Mark. I can wait on it, so i dont have to deselect old event and select new one, so the original thread have a control over this original event. I can block signaling this event and signal it when i am done with my job, so original thread will be notified when it is appropriate.
011011010110000101100011011010000110100101101110 0110010101110011
csrss wrote:
I can wait on it, so i dont have to deselect old event and select new one, so the original thread have a control over this original event
Then do you have a race condition? Which thread calls WSAEnumNetworkEvents() first? Or is only one FD_XXX event being "listened for" so WSAEnumNetworkEvents() isn't called?
csrss wrote:
I can block signaling this event and signal it when i am done with my job
How do you block signalling of an event (just curious...I didn't know it was possible since I've never needed to)? You must have intimate knowledge of the existing code to believe this is feasible :)
Mark Salsbery Microsoft MVP - Visual C++ :java:
-
csrss wrote:
I can wait on it, so i dont have to deselect old event and select new one, so the original thread have a control over this original event
Then do you have a race condition? Which thread calls WSAEnumNetworkEvents() first? Or is only one FD_XXX event being "listened for" so WSAEnumNetworkEvents() isn't called?
csrss wrote:
I can block signaling this event and signal it when i am done with my job
How do you block signalling of an event (just curious...I didn't know it was possible since I've never needed to)? You must have intimate knowledge of the existing code to believe this is feasible :)
Mark Salsbery Microsoft MVP - Visual C++ :java:
This is actually more an experiment then a real life solution - i am trying to create my own layer without writing and installing one. It looks like this: some event is created in some function which sends some data over a socket:
WSAEVENT hEvent = WSACreateEvent();
::WSAEventSelect(sock, hEvent, FD_WRITE | FD_READ);
WSASend(....);And then a thread waits for event, in fact event occurs when we got some bytes waiting for us or when we are able to write some bytes. WSASend is out of the question here, because all my job is done before WSASend gets executed. The pain is WSARecv, because after this call i have some thing to do and after i am done i can return control to a function which waits for WSARecv to complete. BTW, i am hooking these calls so when WSAsomething is called control goes to my function, where i am calling WSAsomething and additionally do some work with outgoing || incoming data. So the thing is to prevent WSAsomething completion event signaling and signal it when i am done with my part. I know it is wrong :P and all bad things might happen and there can be a disaster crash or something and this is not what i am going to implement in final solution. I am trying and learning how to dig into system and control it in every ways possible. About blocking event, well, i can save old event handle, select new event, do my stuff, and when done, - signal old event and delete mine, for example :P Or i can go deeper into the cave and try to hook something here and there and do some crazy stuff, you know :D
011011010110000101100011011010000110100101101110 0110010101110011
-
This is actually more an experiment then a real life solution - i am trying to create my own layer without writing and installing one. It looks like this: some event is created in some function which sends some data over a socket:
WSAEVENT hEvent = WSACreateEvent();
::WSAEventSelect(sock, hEvent, FD_WRITE | FD_READ);
WSASend(....);And then a thread waits for event, in fact event occurs when we got some bytes waiting for us or when we are able to write some bytes. WSASend is out of the question here, because all my job is done before WSASend gets executed. The pain is WSARecv, because after this call i have some thing to do and after i am done i can return control to a function which waits for WSARecv to complete. BTW, i am hooking these calls so when WSAsomething is called control goes to my function, where i am calling WSAsomething and additionally do some work with outgoing || incoming data. So the thing is to prevent WSAsomething completion event signaling and signal it when i am done with my part. I know it is wrong :P and all bad things might happen and there can be a disaster crash or something and this is not what i am going to implement in final solution. I am trying and learning how to dig into system and control it in every ways possible. About blocking event, well, i can save old event handle, select new event, do my stuff, and when done, - signal old event and delete mine, for example :P Or i can go deeper into the cave and try to hook something here and there and do some crazy stuff, you know :D
011011010110000101100011011010000110100101101110 0110010101110011
csrss wrote:
About blocking event, well, i can save old event handle, select new event, do my stuff, and when done, - signal old event and delete mine,
Right. Problem is, when the event is signaled, WSAEnumNetworkEvents() is usually called by the waiting/polling thread to determine which event(s) occurred. Only one thread can make that call for a given event signal on a given socket (even if you duplicate the socket) because the call resets its event status. Good luck though :)
Mark Salsbery Microsoft MVP - Visual C++ :java:
-
csrss wrote:
About blocking event, well, i can save old event handle, select new event, do my stuff, and when done, - signal old event and delete mine,
Right. Problem is, when the event is signaled, WSAEnumNetworkEvents() is usually called by the waiting/polling thread to determine which event(s) occurred. Only one thread can make that call for a given event signal on a given socket (even if you duplicate the socket) because the call resets its event status. Good luck though :)
Mark Salsbery Microsoft MVP - Visual C++ :java: